wiki: add rsyslog requirement to migration checklist and logwatch docs

Fedora 44 Hetzner images ship without rsyslog — logwatch produces zero output because /var/log/messages doesn't exist. Added rsyslog to baseline table and new diagnostic section to logwatch article. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-13 10:36:00 -04:00 · 2026-05-13 10:36:00 -04:00 · 4ec481c584
commit 4ec481c584
parent c22457f1aa
2 changed files with 29 additions and 2 deletions
--- a/02-selfhosting/cloud/vps-migration-baseline-checklist.md
+++ b/02-selfhosting/cloud/vps-migration-baseline-checklist.md
@ -10,7 +10,7 @@ tags:
  - checklist
 status: published
 created: 2026-05-09
-updated: 2026-05-11T07:33
+updated: 2026-05-13T10:35
 ---

 # VPS Migration Baseline Checklist
@ -61,6 +61,7 @@ Every server in the fleet should have these. Check each one after migration:
 | SSH hardening | `openssh-server` | `openssh-server` | `configure_ssh_hardening.yml` | Key-only, no root password |
 | Timezone | — | — | — | US servers: `America/New_York`; UK: `Europe/London`. Hetzner defaults to UTC. |
 | CA bundle (Fedora) | `ca-certificates` | `ca-certificates` | — | Verify `/etc/pki/tls/certs/ca-bundle.crt` symlink exists — see [Fedora CA bundle fix](../../05-troubleshooting/security/fedora-ca-bundle-missing-symlink.md) |
+| Syslog (Fedora) | `rsyslog` | — (pre-installed) | — | Fedora 44 Hetzner images have journald only. Logwatch needs `/var/log/messages` + `/var/log/secure`. |

 ### After Migration

--- a/02-selfhosting/monitoring/logwatch-fleet-setup.md
+++ b/02-selfhosting/monitoring/logwatch-fleet-setup.md
@ -9,7 +9,7 @@ tags:
  - ubuntu
 status: published
 created: 2026-05-09
-updated: 2026-05-11T07:37
+updated: 2026-05-13T10:35
 ---

 # Logwatch Fleet Setup — Surviving Package Upgrades
@ -117,6 +117,32 @@ dpkg -V logwatch  # Debian

 # Look for S.5....T. on the defaults file — means it was replaced
 # S = size, 5 = md5, T = timestamp changed
+
+# Check if logwatch produces any output at all
+logwatch --output stdout --range yesterday | wc -l
+# If 0 lines — logwatch has no log data to report (see rsyslog section below)
+```
+
+## Fedora: rsyslog Missing — Logwatch Produces Zero Output
+
+Fedora 44 cloud images (Hetzner, possibly others) ship with **journald only** — no rsyslog. This means `/var/log/messages`, `/var/log/secure`, and `/var/log/cron` do not exist. Logwatch scans those files, finds nothing, produces empty output, and sends no email. Exit code is still 0 — no error anywhere.
+
+This is particularly insidious because everything else can be correct (crond running, postfix relaying, logwatch config pointing to the right recipient) and you'll still get silence.
+
+```bash
+# Diagnose
+rpm -q rsyslog          # "package rsyslog is not installed"
+ls /var/log/messages    # "No such file or directory"
+
+# Fix
+dnf install -y rsyslog
+systemctl enable --now rsyslog
+
+# Verify log files appear
+ls /var/log/messages /var/log/secure /var/log/cron
+
+# Test logwatch
+logwatch --output stdout --range today | wc -l   # should be >0
 ```

 ## Fedora CA Bundle Missing — Postfix TLS Engine Unavailable